On 9/2/24 3:47 PM, Daniel Salzman wrote:
The 'deny' option should apply to every match. Please show me the
current ACL rule.
Right, it does indeed :/ I feel a tad stupid now for not trying hard
enough, but what really threw me off was the wording in the docs [1]:
If enabled, instead of allowing, deny the specified action, address, key, or
combination if these items.
Much more importantly, though, I discovered that 3.3(?) introduced
`update-owner-match: pattern` [2], which provides _exactly_ what I was
asking for (matching "_acme-challenge.*.example.com"). So thanks for that :)
But for anyone playing along at home, this works even without `pattern`:
acl:
- id: txt_updates_protect
action: update
key: tsigkey.example.com
update-type: [TXT]
update-owner: name
update-owner-name: [ _spf, _dmarc ] # Protect these records
deny: on
- id: txt_updates_allow
action: update
key: tsigkey.example.com
update-type: [TXT]
update-owner: name
update-owner-name: [ example.com. ]
update-owner-match: sub
template:
- id: default
acl: [txt_updates_protect, txt_updates_allow]
...
So, sorry for the noise, but maybe someone else learned a thing or two,
I know I did. And I might also submit a patch for the documentation :)
Cheers,
Conrad
[1] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#deny
[2]
https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#update-owner-match
--
